CVE-2026-40149
published 2026-04-09CVE-2026-40149: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool…
PriorityP341high7.3CVSS 3.1
AVLACLPRLUINSCCLIHAN
EPSS
0.23%
13.4th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.128 | 4.5.128 |
| mervinpraison | praisonai | >= 0 < 4.5.128 | 4.5.128 |
| praison | praisonai | < 4.5.128 | 4.5.128 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MervinPraison PraisonAI up to 4.5.127 auth_token generic exception (GHSA-4wr3-f4p3-5wjh)
vuldb·2026-04-10·CVSS 7.9
CVE-2026-40149 [HIGH] MervinPraison PraisonAI up to 4.5.127 auth_token generic exception (GHSA-4wr3-f4p3-5wjh)
A vulnerability identified as problematic has been detected in MervinPraison PraisonAI up to 4.5.127. Impacted is an unknown function. Performing a manipulation of the argument auth_token results in declaration of catch for generic exception.
This vulnerability is reported as CVE-2026-40149. The attack requires a local approach. No exploit exists.
You should upgrade the affected component.
GHSA
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
ghsa·2026-04-10
CVE-2026-40149 [HIGH] CWE-306 PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
## Summary
The gateway's `/api/approval/allow-list` endpoint permits unauthenticated modification of the tool approval allowlist when no `auth_token` is configured (the default). By adding dangerous tool names (e.g., `shell_exec`, `file_write`) to the allowlist, an attacker can cause the `ExecApprovalManager` to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce.
## Details
The vulnerability arises from the interaction of three components:
**1. Authentication bypass in default config**
`_check_auth()` in `server.py:243-246` returns `None` (no error) when `self.config.auth_to
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-09
Published